BlackBerry Enterprise Service 10. Version: Configuration Guide

Transcription

1 BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide

2 Published: SWD

3 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9 Key features of BlackBerry Enterprise Service Configuring BlackBerry Enterprise Service 10 for the first time Setting up the BlackBerry Enterprise Service 10 domain BlackBerry Enterprise Service 10 administration consoles Log in to the BlackBerry Device Service console...16 Log in to the Universal Device Service console Log in to the BlackBerry Management Studio console Troubleshooting: The browser does not trust the website's security certificate...18 Use the BES10 Configuration Tool Managing the web keystores Change the password for the web keystores...19 Import a new SSL certificate into the web keystores About licensing Configuring connection types and port numbers Outbound ports: Managing BlackBerry devices...22 Outbound ports: Managing ios and Android devices Outbound ports: Device data Outbound ports: Work space-enabled devices on a work Wi-Fi network Internal ports: Database connections...26 Internal ports: Devices and components Internal ports: Components and administration consoles Internal ports: Administration consoles and browsers...29 Internal ports: BlackBerry Administration Service instances Ports and proxy configuration Connecting BlackBerry Enterprise Service 10 to a company directory Connect the BlackBerry Device Service to Microsoft Active Directory Connect the BlackBerry Device Service to an LDAP directory Connect the Universal Device Service to Microsoft Active Directory Connect the Universal Device Service to an LDAP directory...38 Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles Prerequisites...40 Configure constrained delegation for the Microsoft Active Directory account to support single sign-on... 41

4 Configure single sign-on for the Administration Console Configure single sign-on for the BlackBerry Administration Service BlackBerry Administration Service URL for single sign-on Assigning the device management role for Android devices and ios devices Assign the device management role to a different instance or high availability pair...44 Configuring high availability for BlackBerry Enterprise Service Architecture: High availability for BlackBerry Enterprise Service Components that support high availability failover...48 Components that do not support high availability failover Health parameters and the availability of BlackBerry Enterprise Service 10 components Prerequisites: Installing a standby instance of the core components...53 Install a standby instance of the core components Fail over device service manually...56 Switch the primary and standby instances Tasks to perform after an automatic or manual failover Turn off automatic failover...58 Change the active Administration Console instance Monitoring a high availability configuration Configuring high availability for BlackBerry Enterprise Service 10 databases Database mirroring for both BlackBerry Enterprise Service 10 databases System requirements: Database mirroring Prerequisites: Configuring database mirroring...63 Configuring database mirroring Configuring BlackBerry Enterprise Service 10 to support database mirroring Using gatekeeping to control which devices can access Microsoft ActiveSync Configure Microsoft Exchange permissions for gatekeeping Configure Microsoft IIS permissions for gatekeeping Create a Microsoft ActiveSync configuration in the Universal Device Service...70 Turn on Microsoft ActiveSync gatekeeping for BlackBerry devices Monitoring BlackBerry Enterprise Service 10 components Supported SNMP operations System requirements: SNMP monitoring Configuring SNMP monitoring Configuring SNMP traps Troubleshooting Restarting BlackBerry Enterprise Service 10 components...78 Restarting one component Restarting all components Setting up BlackBerry Device Service components...79 Changing the security settings of the BlackBerry Administration Service... 80

5 Configuring Microsoft Active Directory authentication in an environment that includes a resource forest Changing password settings for BlackBerry Administration Service authentication Regenerate the system credentials for the BlackBerry Administration Service Configuring multiple BlackBerry Administration Service instances Change the name of the BlackBerry Administration Service pool Configuring the BlackBerry Administration Service to use a proxy server Configuring proxy selection for the BlackBerry Administration Service...84 Configuring the BlackBerry Administration Service to authenticate with a proxy server Connect to an SMTP server to send notifications to users...88 Create an activation message to test the SMTP...88 Creating a shared network folder for distributing apps to devices...90 Specify a shared network folder Configuring how data is pushed to devices...92 Configuring the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server Specifying a BlackBerry MDS Connection Service as a central push server Restricting the push application content that users can receive...94 Managing push application requests Configuring how the BlackBerry MDS Connection Service connects to BlackBerry devices Disaster recovery planning for the BlackBerry Device Service Backing up the BlackBerry Configuration Database Back up the shared network folder Restore the BlackBerry Device Service Setting up Universal Device Service components Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server Configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure through a TCP proxy server Configure the HTTP or HTTPS proxy server settings Configure SMTP server settings Configuring how the Universal Device Service contacts devices that are not responding Configure how the Universal Device Service contacts devices that are not responding Enabling the Secure Work Space for ios devices and Android devices Enable and test the work space connection Importing the root certificate of the Universal Device Service to the Microsoft Exchange Server Configure the BlackBerry Work Connect Notification Service Configure the standby instance to support notifications for work space-enabled ios devices Understanding and installing APNs certificates About APNs Request a signed CSR from BlackBerry Check the status of your request for a signed CSR from BlackBerry Download the signed CSR from BlackBerry and save it...118

7 1 Introduction This section provides information about the purpose of this guide, a description of the key features of BlackBerry Enterprise Service 10, and guidance for completing various configuration tasks.

8 Introduction About this guide BlackBerry Enterprise Service 10 helps you manage BlackBerry devices, Android devices, and ios devices for your organization. This guide provides instructions for configuring the BlackBerry Enterprise Service 10 components to meet your organization's needs. This guide is intended for senior IT professionals who are responsible for setting up and deploying the product. Before you can complete the tasks in this guide, you need to install or upgrade the product and activate licenses. You can find instructions for installing or upgrading the product in the BlackBerry Enterprise Service 10 Installation Guide and the BlackBerry Enterprise Service 10 Upgrade Guide. You can find instructions for activating licenses in the BlackBerry Enterprise Service 10 Licensing Guide. After you complete the tasks in this guide, you can create administrator accounts and user accounts, and you can configure server and device controls. You can find instructions for creating accounts and configuring server and device controls in the BlackBerry Device Service Advanced Administration Guide, Universal Device Service Advanced Administration Guide, and BlackBerry Management Studio Basic Administration Guide. Related information Product documentation, 135 8

9 Introduction What is BlackBerry Enterprise Service 10? BlackBerry Enterprise Service 10 helps you manage mobile devices for your organization. You can manage BlackBerry devices and BlackBerry PlayBook tablets, as well as ios and Android devices, all from a unified interface. BlackBerry Enterprise Service 10 is designed to help protect business information, keep mobile workers connected with the information they need, and provide administrators with efficient tools that help keep business moving forward. BlackBerry Enterprise Service 10 includes the following components: Component BlackBerry Device Service Universal Device Service Description Provides advanced administration for BlackBerry 10 devices and BlackBerry PlayBook tablets Provides advanced administration for ios and Android devices BlackBerry Management Studio Provides a unified interface to administer common tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, BlackBerry 7.1 and earlier devices, ios devices, and Android devices BES10 Self-Service Provides a console to users so that they can perform some self-service tasks. For example, users can create activation passwords, remotely change the password on their device, or delete data from the device. Key features of BlackBerry Enterprise Service 10 The table below describes some of the key features for BlackBerry Enterprise Service 10. Feature Management of most types of devices Single, unified interface Trusted and secure experience Description BlackBerry Enterprise Service 10 supports all types of BlackBerry devices and tablets, as well as ios devices and Android devices. BlackBerry Management Studio is a single, web-based interface where you can view all devices in one place and access the most common management tasks across multiple domains. These tasks include creating and managing groups, managing device controls, and activating mobile devices. Device controls give you precise management of how devices connect to your network, what capabilities are enabled, and what apps are available. Whether the devices are owned by your organization or your users, you can protect your organization's information. 9

10 Introduction Feature Balance of work and personal needs Description BlackBerry Balance and Secure Work Space technology are designed to ensure that personal and work information are kept separate and secure on devices. If the device is lost or the employee leaves the organization, you can delete only work-related information or all information from the device. Additional security features are available depending on the device type. 10

11 Introduction Configuring BlackBerry Enterprise Service 10 for the first time The following table describes, at a high level, the mandatory configuration tasks that you must complete after you install BlackBerry Enterprise Service 10, and the optional configuration tasks you can complete to meet your organization's needs. This is not a complete list of all of the configuration tasks that are covered in this guide. Review all sections of the guide to identify additional tasks that might be appropriate for your organization s environment. Task Mandatory or Optional Description Resource Obtain and activate licenses Mandatory To manage user accounts and devices, you must obtain and activate the appropriate licenses. BlackBerry Enterprise Service 10 Licensing Guide Import a new SSL certificate into the web keystores Optional To meet your organization s security requirements, you can import a new SSL certificate that the administration consoles and other components use to authenticate with browsers. Managing the web keystores Verify that the required external and internal ports are open Mandatory You must verify that the appropriate ports are available for components to connect to external resources, each other, and to devices. Configuring connection types and port numbers Connect to the BlackBerry Infrastructure through a TCP proxy server Optional To meet your organization s security standards and firewall rules, you can configure the BlackBerry Secure Connect Service to connect to the BlackBerry Infrastructure by routing data through a TCP proxy server. Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server Connect BlackBerry Enterprise Service 10 to the company directory Mandatory You must connect BlackBerry Enterprise Service 10 to the company directory so that BlackBerry Enterprise Service 10 can access user data. Connecting BlackBerry Enterprise Service 10 to a company directory 11

12 Introduction Task Mandatory or Optional Description Resource Configure single sign-on for the administration consoles Optional You can configure single sign-on authentication so that you do not have to log in to the administration consoles manually. Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles Configure high availability for the core components Optional To enhance the stability and reliability of your environment, you can install and configure a standby instance of the core components that serves as a back-up to the primary instance. Configuring high availability for BlackBerry Enterprise Service 10 Configure high availability for the BlackBerry Enterprise Service 10 databases Optional To retain database service and data integrity if issues occur with the BlackBerry Enterprise Service 10 databases, you can install and configure mirror databases that serve as a backup to your principal databases. Configuring high availability for BlackBerry Enterprise Service 10 databases Configure support for Microsoft ActiveSync gatekeeping Optional If you configured Microsoft Exchange to block devices from using Microsoft ActiveSync unless the devices are added to an allowed list, you must configure BlackBerry Enterprise Service 10 to support this feature. Using gatekeeping to control which devices can access Microsoft ActiveSync Configure the BlackBerry Administration Service to use a proxy server Optional To meet your organization s security requirements, you can configure the BlackBerry Administration Service to route data through a proxy server. Configuring the BlackBerry Administration Service to use a proxy server Create a shared network folder for distributing apps to devices Optional If you want to use BlackBerry Enterprise Service 10 to distribute apps to devices, you must specify a shared network folder that the BlackBerry Administration Service can use to store and distribute apps. Creating a shared network folder for distributing apps to devices Monitor BlackBerry Enterprise Service 10 components Optional You can use third-party SNMP tools to monitor the activity of certain BlackBerry Enterprise Service 10 components. Monitoring BlackBerry Enterprise Service 10 components 12

13 Introduction Task Mandatory or Optional Description Resource Configure SMTP server settings Optional When you activate users, if you want BlackBerry Enterprise Service 10 to send activation s to users, you must specify the SMTP server settings that the BlackBerry Device Service and the Universal Device Service can use. Connect to an SMTP server to send notifications to users Configure SMTP server settings Enable the work space Optional To support the work space for ios and Android devices, you must configure an SSL connection between BlackBerry Enterprise Service 10 and the Microsoft Exchange Server, and configure the BlackBerry Work Connect Notification Service. Install APNs certificates Optional If you want to manage and send data to ios devices, you must obtain a signed CSR from BlackBerry, then you must obtain an APNs certificate from Apple and install it in your BlackBerry Enterprise Service 10 domain. Enabling the Secure Work Space for ios devices and Android devices Understanding and installing APNs certificates Install a new SSL certificate for the Communication Module Optional To satisfy your organization s security requirements, you can install a new SSL certificate that the Communication Module uses during the activation process. Installing an SSL certificate for the Communication Module Configure BlackBerry Management Studio to connect to additional domains Optional If your organization's environment includes additional BlackBerry Enterprise Service 10 domains, BlackBerry Enterprise Server 5.0 SP3 or later, or BlackBerry Enterprise Server Express 5.0 SP3 or later, you can configure BlackBerry Management Studio to connect to those domains. Adding additional domains to BlackBerry Management Studio 13

14

15 2 Setting up the BlackBerry Enterprise Service 10 domain Before you activate and manage devices, you may need to configure some BlackBerry Enterprise Service 10 components so that they can run in your organization's environment. You can change port numbers to address any port conflicts, configure single sign-on between consoles, configure high availability, and more.

16 Setting up the BlackBerry Enterprise Service 10 domain BlackBerry Enterprise Service 10 administration consoles BlackBerry Enterprise Service 10 includes three consoles that you can use to manage the components and devices. Administration console BlackBerry Device Service console Universal Device Service console BlackBerry Management Studio Description Also known as the BlackBerry Administration Service, the BlackBerry Device Service console allows you to manage BlackBerry Device Service components, high availability, BlackBerry 10 devices, and BlackBerry PlayBook tablets. Also known as the Administration Console, the Universal Device Service console allows you to manage Universal Device Service components, ios devices, and Android devices. BlackBerry Management Studio allows you to manage licenses, view reports of your system, and perform some management tasks for BlackBerry 10 devices, BlackBerry PlayBook tablets, ios devices, and BlackBerry 7.1 and earlier devices. Log in to the BlackBerry Device Service console Also known as the BlackBerry Administration Service, you can use the BlackBerry Device Service console to manage the BlackBerry Device Service and the user accounts and devices that are associated with it. To open the console, you can use a browser on a computer that can access the computer that hosts the BlackBerry Administration Service. You can use a Microsoft Active Directory, LDAP, or BlackBerry Administration Service username and password to log in. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type https://<server_name>:<port>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. The default port for the BlackBerry Administration Service is port In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: In the Log in using drop-down list, click BlackBerry Administration Service. 16

17 Setting up the BlackBerry Enterprise Service 10 domain In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. In the Log in using drop-down list, click LDAP. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. Log in to the Universal Device Service console Also known as the Administration Console, the Universal Device Service console allows you to manage the Universal Device Service and the user accounts associated with it. To open the Administration Console, you can use a browser on any computer that has access to the computer that hosts the Administration Console. When you install BlackBerry Enterprise Service 10, you specify the username and password that you use to log in for the first time. 1. In the browser, type https://<server_name>:<port>, where <server_name> is the FQDN of the computer that hosts the Administration Console. The default port for the Administration Console is port In the Username field, type your username. 3. In the Password field, type your password. 4. Click Log in. Log in to the BlackBerry Management Studio console The BlackBerry Management Studio console allows you to perform common administrative tasks for all the devices in your organization that are managed by BlackBerry Enterprise Service 10. Before you begin: To perform this task, you must know the web address for BlackBerry Management Studio, the username, the password (if necessary), the domain name (for example, the Windows domain in your organization's environment), and the authentication method. 1. In the browser, type https://<server_name>:<port>, where <server_name> is the name of the computer that hosts BlackBerry Management Studio. The default port for BlackBerry Management Studio is In the Username field, type your username. 3. In the Password field, type your password. 4. In the Log in using drop-down list, perform one of the following actions: Click Direct authentication. Click Microsoft Active Directory authentication and type the Microsoft Active Directory domain in the Domain field. Click LDAP authentication. 17

18 Setting up the BlackBerry Enterprise Service 10 domain 5. Click Log in. Troubleshooting: The browser does not trust the website's security certificate Possible cause The BlackBerry Administration Service (also known as the BlackBerry Device Service console), the Administration Console (also known as the Universal Device Service console), BlackBerry Management Studio, and BES10 Self-Service use the SSL certificate that the setup application generated. Possible solution If you experience this issue with the BlackBerry Administration Service, BlackBerry Management Studio, or BES10 Self- Service, perform one of the following actions: Replace the SSL certificate that the setup application generated with one issued by a trusted CA. For more information, see Import a new SSL certificate into the web keystores. Install the SSL certificate that the setup application generated in the certificate store of all computers that are used to access the BlackBerry Administration Service, BlackBerry Management Studio, and BES10 Self-Service. If you experience this issue with the Administration Console, install the SSL certificate that the setup application generated in the certificate store of all computers that are used to access the Administration Console website. Use the BES10 Configuration Tool The BES10 Configuration Tool is installed on each computer that you install BlackBerry Enterprise Service 10 on. Depending on the components that you choose to install, the BES10 Configuration Tool includes different tabs and configuration options. You can use the tool to configure system settings that are not available in other consoles. For example, you can use the tool to change port configuration and database authentication for the BlackBerry Configuration Database. 1. On a computer that hosts a BlackBerry Enterprise Service 10 component, on the taskbar, click Start > All Programs > BlackBerry Enterprise Service 10 > Configuration Tool for BlackBerry Enterprise Service If a Windows message appears and requests permission to make changes to the computer, click Yes. 3. Make changes on the appropriate tabs. 18

19 Setting up the BlackBerry Enterprise Service 10 domain Managing the web keystores BlackBerry Enterprise Service 10 version 10.1 and later uses a different method of managing certificates than previous releases. The setup application generates and stores an SSL certificate in two password-protected keystore files: as.web.keystore and ncc.web.keystore. The following components use the SSL certificate to authenticate with browsers: BlackBerry Administration Service BlackBerry Management Studio BES10 Self-Service Enterprise Management Web Service BlackBerry Web Services In BlackBerry Device Service 6.2 and earlier, certificates were stored in a web.keystore file. If you upgrade to BlackBerry Enterprise Service 10 version 10.1 or later, the upgrade process replaces the web.keystore file with as.web.keystore and ncc.web.keystore. Any existing certificates in web.keystore are not migrated to the new keystores. You can use the BES10 Configuration Tool to change the password for the web keystores, or to import a new SSL certificate. When you use the BES10 Configuration Tool to import certificates into the keystores, the certificates are written to the BlackBerry Enterprise Service 10 databases and then to the keystores (this also occurs when you restart the BlackBerry Administration Service). This process overwrites any certificates that you imported into the keystores manually. BlackBerry Enterprise Service 10 does not support importing certificates into the keystores manually. Change the password for the web keystores Before you begin: To verify the current password for the keystores, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. Click BlackBerry Administration Service and check the Security settings section. 1. On a computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Web Keystore tab, type the current password. 3. In the Change web keystore password section, type a new password and confirm the new password. 4. Click Apply. 5. Click OK. After you finish: Restart any computers that host the BlackBerry Enterprise Service 10 administration consoles. 19

20 Setting up the BlackBerry Enterprise Service 10 domain Restart any computers that host the BlackBerry Enterprise Service 10 core components. Import a new SSL certificate into the web keystores When you install BlackBerry Enterprise Service 10, the setup application generates and stores an SSL certificate in two password-protected keystore files: as.web.keystore and ncc.web.keystore. You can import a new SSL certificate or a trusted certificate that a CA signs into both keystores. The SSL certificate used by the Administration Console (also known as the Universal Device Service administration console) is stored in a separate key store. If you want to import a new SSL certificate for the Administration Console, visit to read article KB Before you begin: Generate or obtain a self-signed SSL certificate or a trusted certificate that a CA signs. The certificate must be in a keystore format (.jks,.pfx,.pkcs12). If you configure a BlackBerry Administration Service pool, you must generate an SSL certificate that uses the name of the BlackBerry Administration Service pool. You can find the pool name in the BES10 Configuration Tool. The SSL certificate must use the alias "httpssl". Add the FQDN of each computer that hosts the BlackBerry Web Services to the certificate's Subject Alternative Name field. This allows you to view information for each Universal Device Service instance in BlackBerry Management Studio after you import the certificate. To verify the current password for the keystores, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. On the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view. Click BlackBerry Administration Service and check the Security settings section. 1. On a computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Web Keystore tab, select the Import new SSL certificate option. 3. In the Current password field, type the password for the keystores. 4. In the Import new SSL certificate section, click the Browse button to navigate to and select the new SSL certificate. 5. In the Password field, type the password for the SSL certificate. 6. Click Apply. 7. Click OK. After you finish: Restart any computers that host the BlackBerry Enterprise Service 10 administration consoles. Restart any computers that host the BlackBerry Enterprise Service 10 core components. 20

21 Setting up the BlackBerry Enterprise Service 10 domain About licensing After you install BlackBerry Enterprise Service 10, you must activate licenses. If you upgraded a supported product to BlackBerry Enterprise Service 10 version 10.1 or later, you must upgrade and activate licenses. You should activate licenses before you follow the configuration instructions in this guide, and before you add user accounts and activate devices. For more information about the different types of licenses and activating licenses, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Licensing Guide. 21

22 Setting up the BlackBerry Enterprise Service 10 domain Configuring connection types and port numbers Ports are virtual connection points that software applications can use to send and receive data. Ports are distinguished by a specific port number. Different ports can be used to direct data to, or to receive data from, specific sources. Software applications send and receive data over ports using protocols. A protocol is a software language, with its own rules and conventions, that software applications use to send, receive, and interpret data. Typical protocols include TCP, HTTPS, and HTTP. The BlackBerry Enterprise Service 10 components use various ports to communicate with the BlackBerry Infrastructure, other external services, internal resources (for example, browsers), and with each other. The topics in this section list the default ports that the various components use. The tables indicate which ports you can change. If the table does not indicate that you can change the port, you must use the default port that is listed. Depending on the size and complexity of your organization s software environment, you may not need to change any of the port numbers. If your organization enforces certain security standards, restricts certain types of data that pass through the firewall, or has existing software that uses the ports that the components require, you may need to change some of the firewall settings or port settings. Outbound ports: Managing BlackBerry devices BlackBerry Enterprise Service 10 components use the following ports to send data to sources that are outside of your organization's firewall, such as the BlackBerry Infrastructure, and to receive data back from these sources. Configure your organization's firewall to allow outbound and inbound connections over these ports. For more information about domains and IP addresses to use in your firewall configuration, visit to read articles KB34193 and KB

23 Setting up the BlackBerry Enterprise Service 10 domain From To Purpose Protocol Port Where you can change the port BlackBerry Router (optional) BlackBerry Infrastructure To connect to the blackberry.com and blackberry.net subdomains (<region>.srp.blackberry.com) to activate and manage BlackBerry devices and to enable the use of the work space on BlackBerry devices. TCP 3101 BES10 Configuration Tool BlackBerry Dispatcher BlackBerry Infrastructure To connect to the blackberry.com and blackberry.net subdomains (<region>.srp.blackberry.com) to activate and manage BlackBerry devices and to enable the use of the work space on BlackBerry devices. TCP 3101 BlackBerry Administration Service BlackBerry Licensing Service BlackBerry Infrastructure To connect to the licensing infrastructure (license.blackberry.com) to activate licenses. HTTPS 443 Cannot change BlackBerry Administration Service BlackBerry Infrastructure To register activation information for BlackBerry devices and access device information. HTTPS 443 Cannot change BlackBerry Administration Service BlackBerry Infrastructure To specify public apps in BlackBerry World as optional work apps for BlackBerry devices. HTTP 80 Cannot change Related information Change the BlackBerry Router port numbers, 32 Outbound ports: Managing ios and Android devices BlackBerry Enterprise Service 10 components use the following ports to send data to sources that are outside of your organization's firewall, such as the BlackBerry Infrastructure, and to receive data back from these sources. Configure your organization's firewall to allow outbound and inbound connections over these ports. For more information about domains and IP addresses to use in your firewall configuration, visit to read articles KB34193 and KB

24 Setting up the BlackBerry Enterprise Service 10 domain From To Purpose Protocol Port Where you can change the port BlackBerry Secure Connect Service BlackBerry Infrastructure To connect to the bbsecure.com subdomain (<region>.bbsecure.com) to allow work-space enabled devices to access work data, to send activation and management data between ios and Android devices and BlackBerry Enterprise Service 10, and to allow ios devices to connect to APNs for device notifications. TCP 3101 Cannot change BlackBerry Secure Connect Service through a TCP proxy server (optional) BlackBerry Infrastructure To route data through a TCP proxy server if you do not want a direct connection to the BlackBerry Infrastructure. TCP 3101 Administration Console BlackBerry Licensing Service BlackBerry Infrastructure To connect to the licensing infrastructure (license.blackberry.com) to activate licenses. HTTPS 443 Cannot change Administration Console BlackBerry Infrastructure To request a signed CSR from BlackBerry so you can obtain and register an APNs certificate. The APNs certificate is required to manage ios devices. HTTPS 443 Cannot change Universal Device Service core components BlackBerry Infrastructure To connect to the <region>.swstps.bbsecure.com subdomain to authenticate BlackBerry Enterprise Service 10 and enable the HTTPS 443 Cannot change 24

25 Setting up the BlackBerry Enterprise Service 10 domain From To Purpose Protocol Port Where you can change the port use of the Secure Work Space on ios and Android devices. Universal Device Service core components BlackBerry Infrastructure To connect to <region>.swsmanager.bbsecure.com subdomain to enable administrative control over the work space on ios and Android devices. HTTPS 443 Cannot change BlackBerry Work Connect Notification Service BlackBerry Infrastructure To provide new or changed and organizer notifications to work spaceenabled ios devices. HTTPS 443 Cannot change Scheduler BlackBerry Infrastructure To check a hosted metadata file each day at midnight for new device or OS data. Updates are downloaded to the Universal Device Service database. HTTPS 443 Cannot change The hosted file is located at https:// origin-www.blackberry.com/download/ metadata/bes/metadata.xml.gz (IP address ). Core Module Apple Root Certification Authority To check the certificate revocation list (used if you do not set up an APNs proxy server). HTTPS HTTP Cannot change Core Module SMTP gateway To enable SMTP for an external SMTP gateway (optional). TCP 25 Administration Console Outbound ports: Device data BlackBerry Enterprise Service 10 uses the outbound-initiated port 3101 to send and receive data for BlackBerry 10 devices and work space-enabled ios and Android devices. For ios and Android devices that are not work space-enabled, BlackBerry Enterprise Service 10 sends and receives only activation and management data through the outbound-initiated port All other data, such as messaging data and data from third-party applications, is not sent through port Consult the documentation or support resources for your organization's messaging software and third-party applications to determine the ports that you must open. 25

26 Setting up the BlackBerry Enterprise Service 10 domain Outbound ports: Work space-enabled devices on a work Wi-Fi network Work space-enabled ios and Android devices that use your organization's Wi-Fi network use the following outbound ports to connect to the BlackBerry Infrastructure and external services. Configure your organization's firewall to allow outbound and inbound connections over these ports. From To Purpose Protocol Port Where you can change the port ios devices Android devices BlackBerry Infrastructure To connect to the <region>.bbsecure.com subdomain when activating the device. TLS 443 Cannot change ios devices Android devices BlackBerry Infrastructure To connect to the <region>.bbsecure.com subdomain so that administration commands can be applied to the devices. TCP Cannot change Port 443 is the default. Port 80 is only used by devices that were activated before you upgraded to BlackBerry Enterprise Service 10 version 10.2, or if the user specifies port 80. ios devices APNs To send management data to and from ios devices. TCP 5223 Cannot change Android devices BlackBerry Infrastructure To connect to the <region>.swsmanager.bbsecure.com subdomain. HTTPS 443 Cannot change Internal ports: Database connections The BlackBerry Enterprise Service 10 databases, core components, and administration consoles must be able to communicate with each other and exchange data. If you install the databases on a computer separate from the core components or administration consoles, verify that the following static ports are open between the computers. 26

27 Setting up the BlackBerry Enterprise Service 10 domain From To Protocol Port Where you can change the port BlackBerry Administration Service BlackBerry Management Studio BlackBerry Dispatcher BlackBerry MDS Connection Service Enterprise Management Web Service BlackBerry Configuration Database TCP 1433 BES10 Configuration Tool Administration Console Core Module Management Database TCP 1433 BES10 Configuration Tool Related information Change the port number that components use to connect to the databases, 32 Internal ports: Devices and components The BlackBerry Enterprise Service 10 components and devices use the following ports to communicate with each other and exchange data. Verify that the following ports are open in your organization s network (for example, an internal Wi-Fi network). From To Purpose Protocol Port Where you can change the port BlackBerry devices Enterprise Management Web Service To activate devices using a wired connection or over a VPN or Wi-Fi network that you configured for BlackBerry Enterprise Service 10. HTTPS HTTP BlackBerry Administration Service Server-side push applications (SSL connection) BlackBerry MDS Connection Service To push application data to BlackBerry devices. Omitted if you configured a proxy server. HTTPS 9443 BlackBerry Administration Service Server-side push applications (non- SSL connection) BlackBerry MDS Connection Service To push application data to BlackBerry devices. Omitted if you configured a proxy server. HTTP 9080 BlackBerry Administration Service 27

29 Setting up the BlackBerry Enterprise Service 10 domain From To Protocol Port Where you can change the port BlackBerry Web Services Other BlackBerry Web Services instances TCP 8083 During installation BlackBerry Dispatcher BlackBerry Controller UDP 4060 Cannot change SNMP queries and traps SNMP agent UDP TCP Cannot change Internal ports: Administration consoles and browsers After you install the administration consoles, you can access the consoles from a different computer using supported browsers. Verify that the following ports are open between the computers that host the consoles and the computers that administrators use to access the consoles. For more information about supported browsers, visit docs.blackberry.com/ BES10 to review the BlackBerry Enterprise Service 10 Compatibility Matrix. From To Protocol Port Where you can change the port Supported browser BlackBerry Management Studio HTTPS 7443 BES10 Configuration Tool Supported browser BES10 Self-Service HTTPS 7445 BES10 Configuration Tool Supported browser BlackBerry Administration Service HTTPS HTTP BES10 Configuration Tool Supported browser Administration Console HTTPS HTTP Cannot change Internal ports: BlackBerry Administration Service instances You can install the administration consoles on multiple computers (for example, to set up a BlackBerry Administration Service pool). If you do, verify that the following ports are open between the computers that host instances of the BlackBerry Administration Service. 29

32 Setting up the BlackBerry Enterprise Service 10 domain Change the BlackBerry Router port numbers Configuring the BlackBerry Administration Service to use a proxy server Configuring the BlackBerry MDS Connection Service and the Enterprise Management Web Service to use a proxy server Connecting the BlackBerry Secure Connect Service to the BlackBerry Infrastructure through a TCP proxy server Configure the HTTP or HTTPS proxy server settings Change the BlackBerry Router port numbers 1. On the computer that hosts the BlackBerry Router, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Router tab, perform the following actions: a. In the SRP port (outgoing) field, type the port number that the BlackBerry Router uses to connect to the BlackBerry Infrastructure. b. In the BlackBerry Dispatcher port (incoming) field, type the port number that the BlackBerry Dispatcher uses to connect to the BlackBerry Router. 3. Click Apply. 4. Click OK. After you finish: In the Windows Services, restart the BES10 - BlackBerry Router service. If the BlackBerry Dispatcher port is not 3101, in the BlackBerry Administration Service, type the BlackBerry Dispatcher port in the Port override field for any BlackBerry Device Service instances that connect to the BlackBerry Router. Change the port number that components use to connect to the databases You can change the static port number that BlackBerry Enterprise Service 10 components use to connect to the BlackBerry Enterprise Service 10 databases. You must perform this task if you change the port number that Microsoft SQL Server uses. By default, the databases accept TCP/IP connections to port number 1433 on Microsoft SQL Server. 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the Database Connectivity tab, verify that you selected the Static option for port configuration and type the new port number. 3. Click Apply. 4. Click OK. After you finish: 32

33 Setting up the BlackBerry Enterprise Service 10 domain In the Windows Services, restart the BlackBerry Enterprise Service 10 services. Repeat the steps on each computer that hosts core components. Change the BlackBerry Administration Service port numbers 1. On the computer that hosts the BlackBerry Administration Service, open the BES10 Configuration Tool. If a Windows message appears and requests permission to make changes to the computer, click Yes. 2. On the BlackBerry Administration Service Pool tab, in the Port settings section, change the appropriate port numbers. 3. Click Synchronize. 4. Click OK. After you finish: In the Windows Services, restart the BlackBerry Administration Service services. Repeat the steps on each computer that hosts a BlackBerry Administration Service instance. 33

34 Setting up the BlackBerry Enterprise Service 10 domain Connecting BlackBerry Enterprise Service 10 to a company directory You can connect BlackBerry Enterprise Service 10 to your company directory so that it can access the list of users in your organization. BlackBerry Enterprise Service 10 accesses the company directory to create user accounts, authenticate users when they activate devices, authenticate administrators for the BlackBerry Enterprise Service 10 consoles, and allow single sign-on among the consoles. If you do not connect BlackBerry Enterprise Service 10 to a company directory, you can create local user accounts and authenticate administrators using default authentication. You can connect BlackBerry Enterprise Service 10 to Microsoft Active Directory or an LDAP directory. You must configure the BlackBerry Device Service and the Universal Device Service to connect to a company directory. Connect the BlackBerry Device Service to Microsoft Active Directory Before you begin: Create a Microsoft Active Directory account for the BlackBerry Device Service that is located in a Windows domain that is part of the resource forest. When you create the account, specify a password that meets the security requirements of your organization and configure the following password settings: The user is not required to change the password at next login. The user's password never expires. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Create a company directory connection. 4. Type a name and description for the company directory connection. 5. In the Type drop-down list, click Microsoft Active Directory. 6. Click Next. 7. In the Microsoft Active Directory login information section, in the User name field, type the name of the Microsoft Active Directory account that has permission to access the user containers and read the user objects that are stored in the global catalog servers that are in the resource forest. 8. In the Password and Confirm password fields, type the password for the Microsoft Active Directory account. 9. In the User domain field, type the name of the Windows domain that is a part of the resource forest. 34

35 Setting up the BlackBerry Enterprise Service 10 domain 10. In the Global catalog search base field, perform one of the following actions: To permit the BlackBerry Administration Service to search the global catalog, leave the field blank. To control which user accounts the BlackBerry Administration Service can authenticate with, type the DN of the user container (for example, OU=sales,DC=example,DC=com). 11. In the Global catalog server discovery drop-down list, perform one of the following actions: If you want the BlackBerry Administration Service to find all of the global catalog servers in the resource forest automatically, click Automatic. If you want to configure the global catalog servers that the BlackBerry Administration Service can access, click Specify servers and perform the following actions: a. In the Global catalog server section, type the FQDN of the global catalog server that you want the BlackBerry Administration Service to access (for example, globalcatalog01.example.com). You must type the FQDN of a global catalog server that is located in the Windows domain that the Microsoft Active Directory account is located in. b. Click the Add icon. c. Perform this step for each global catalog server that you want the BlackBerry Administration Service to access. 12. In the Support for linked Microsoft Exchange mailboxes section, perform one of the following actions: To disable support for linked Microsoft Exchange mailboxes, select the Turn off radio button. To enable support for linked Microsoft Exchange mailboxes, select the Turn on radio button. To configure the Microsoft Active Directory account for each forest, in the Account forest name section, type the user domain name, username, and password for the Microsoft Active Directory account. 13. In the Login domain section, in the Default domain field, type the name of the default domain that users log in from. 14. In the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, perform one of the following actions: If you want to enable single sign-on authentication for the BlackBerry Administration Service, click Yes. If you do not want to enable single sign-on authentication for the BlackBerry Administration Service, click No. 15. Optionally, in the Microsoft Active Directory search settings section, in the Active Directory user search filter field, type the search filter that you would like to use to refine the basic user information search results. The search filter must use LDAP syntax. 16. If your organization does not use the default Microsoft Active Directory fields, in the Attribute mappings section, for each mapping that you want to change, type the appropriate attribute in the External attribute field. 17. Click Save. The BlackBerry Administration Service validates the information for Microsoft Active Directory authentication. If the information is valid, the BlackBerry Administration Service implements the changes immediately and you do not need to restart the BlackBerry Administration Service services. If the information is not valid, the BlackBerry Administration Service prompts you to specify the correct information. 35

36 Setting up the BlackBerry Enterprise Service 10 domain Connect the BlackBerry Device Service to an LDAP directory You can connect the BlackBerry Device Service to an LDAP directory so that it can access the list of users in your organization. Before you begin: Create an LDAP account for the BlackBerry Administration Service that is located in the relevant LDAP realm. When you create the account, specify a password that meets the security requirements of your organization and configure the following password settings: The user is not required to change the password at next login. The user's password never expires. If the LDAP connection is SSL encrypted, import the server certificate before connecting the BlackBerry Device Service to the company directory. For instructions, see Import the server certificate for an LDAP connection using SSL. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Create a company directory connection. 4. Type a name and description for the company directory connection. 5. In the Type drop-down list, click LDAP. 6. Click Next. 7. In the Server discovery drop-down list, perform one of the following actions: To automatically discover the LDAP server, click Automatic. In the DNS domain name field, type the domain name for the server that hosts the company directory. To specify one or more LDAP servers, click Specify servers. Type the name of the LDAP server and click the Add icon. Repeat this step to add more servers. 8. In the Enable SSL drop-down list, perform one of the following actions: If the LDAP connection is SSL encrypted, click Yes. If the LDAP connection is not SSL encrypted, click No. 9. In the Port field, type the TCP port number for communication (for example, 636 for SSL enabled or 389 for SSL disabled). 10. In the Authorization required drop-down list, perform one of the following actions: If authorization is required for the connection, in the Authorization required drop-down list, click Simple. In the Login field, type the DN of the user who has authorization to log in to LDAP (for example, cn=admin,o=org1). In the Password and Confirm password fields, type the password. 36

37 Setting up the BlackBerry Enterprise Service 10 domain If authorization is not required for the connection, in the Authorization required drop-down list, click None. 11. Optionally, in the Search base field, type the value to use as the base DN for basic user information searches. 12. Optionally, in the User search filter field, type an LDAP search filter to improve basic user information search performance and results. 13. Optionally, in the User search scope drop-down list, perform one of the following actions: To search all objects below the base object, click All levels. This is the default setting. To search objects that are one level immediately below the base object, click One level. To search for a particular object, click Object level. 14. In the Display name field, type the attribute for each user's display name (for example, displayname). If you do not set the value, a default value is used. 15. In the address field, type the attribute for each user's address (for example, mail). If you do not set the value, a default value is used. 16. In the Username field, type the attribute for each user's username (for example, username). 17. In the Unique identifier field, type the attribute for each user's unique identifier (for example, uid). 18. In the UPN for SCEP field, type the attribute for the user principal name for SCEP (for example, userprincipalname). 19. In the profile account name field, type the attribute for each user s profile account name (for example, mail). 20. In the First name field, type the attribute for each user s first name (for example, givenname). 21. In the Last name field, type the attribute for each user s last name (for example, sn). 22. Click Save. Import the server certificate for an LDAP connection using SSL The imported server certificate is used if the LDAP company directory connection is SSL encrypted. The server certificate must be a.der or.cer file without a password. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click Import server SSL certificate for LDAP. 4. Click Browse. Navigate to and select the SSL certificate that is used to trust the connection. 5. Click Save. 6. Log out, restart all BlackBerry Administration Service instances, and then log in again. 37

38 Setting up the BlackBerry Enterprise Service 10 domain Connect the Universal Device Service to Microsoft Active Directory You can connect the Universal Device Service to Microsoft Active Directory so that it can access the list of users in your organization. 1. In the Administration Console, on the menu bar, click Settings > Company Directory. 2. Select the Enable Microsoft Active Directory check box. 3. Type the username and password for the Microsoft Active Directory server. 4. In the Directory URL field, type LDAP://<host name>.<domain> or GC://<host name>.<domain>. 5. Click Test to test the Microsoft Active Directory server settings. 6. In the Polling interval for directory information field, select a unit of time from the drop-down list and specify how often you want the Universal Device Service to poll Microsoft Active Directory for user account information. 7. Click Save. Connect the Universal Device Service to an LDAP directory You can connect the Universal Device Service to an LDAP directory so that it can access the list of users in your organization. Before you begin: If you want to use SSL authentication for the LDAP connection, you must import the server certificate using MMC. For more information, see Import the server certificate for an LDAP connection that uses SSL. 1. In the Administration Console, on the menu bar, click Settings > Company Directory. 2. Select the Corporate LDAP Directory checkbox. 3. In the LDAP server discovery drop-down list, complete one of the following tasks: Select Automatic, and type the domain name of the LDAP server in the Domain field. Select Select server from the list below, and type the server address in the LDAP Server field. 4. In the LDAP Port field, type the TCP port number for communication. The default port for an SSL enabled connection is 636. The default port for a connection that is not encrypted is If the connection requires authorization, select the Authorization required checkbox, select None in the Authentication type drop-down list, and specify the username and password of the user that has LDAP search permissions. Note: For an SSL enabled connection that uses anonymous authorization, you must deselect the Authorization required checkbox. 38

39 Setting up the BlackBerry Enterprise Service 10 domain 6. Optionally, in the Search base field, type the location in the company directory where you want searches in the directory to begin. 7. Optionally, in the LDAP user search scope drop-down list, perform one of the following actions: To search all objects below the base object, click All levels. This is the default setting. To search objects that are one level immediately below the base object, click One level. 8. In the Object class field, type the name of the object class that your user accounts belong to. 9. In the Unique identifier field, type the unique identifier for the LDAP directory (for example, uid). 10. In the Login attribute field, type the login attribute to use for authentication (for example, cn). 11. In the address field, type the attribute that contains the user's address (for example, mail). 12. In the Display name field, type the attribute that contains the user's display name (for example, displayname). 13. Click Test to confirm that the connection to the company directory is configured correctly. 14. Click Save. Import the server certificate for an LDAP connection that uses SSL The imported server certificate is used if the LDAP company directory connection is SSL encrypted. The server certificate must be a.der or.cer file without a password. 1. On the computer that hosts the BlackBerry Enterprise Service 10 core components, open MMC by typing mmc in Windows PowerShell. 2. On the File menu, click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins window, select Certificates. 4. Click Add. 5. In the Certificates snap-in dialog box, select Computer account. 6. Click Next. 7. Select Local computer, and click Finish. 8. Click OK. 9. In MMC, expand Certificates (Local Computer) > Trusted Root Certification Authorities Right-click Certificates and select All tasks > Import. 11. In the Certificate Import Wizard, click Next. 12. Browse for the Root CA certificate, and click Open. 13. Click Next until the final window in the wizard appears. 14. Click Finish. 39

40 Setting up the BlackBerry Enterprise Service 10 domain Configuring single sign-on for the BlackBerry Enterprise Service 10 consoles You can configure single sign-on for BlackBerry Enterprise Service 10 consoles so that administrators and BES10 Self- Service users do not need to provide their usernames and passwords each time they access a console. When you configure single sign-on, the browser uses the Windows credentials that they logged in to the computer with to authenticate them automatically. Single sign-on works if you require your organization s administrators and users to use Microsoft Active Directory authentication to log in the BlackBerry Enterprise Service 10 consoles. Single sign-on is beneficial if your organization s administrators need to access the BlackBerry Administration Service or Administration Console from the BlackBerry Management Studio frequently. It allows administrators to access the BlackBerry Administration Service or Administration Console from BlackBerry Management Studio without having to log in again. You must configure single sign-on for all the BlackBerry Enterprise Service 10 consoles (for example, you cannot configure single sign-on for the Administration Console only). Prerequisites Install all BlackBerry Enterprise Service 10 instances in the same Microsoft Active Directory network. Configure the BlackBerry Device Service and the Universal Device Service to connect to Microsoft Active Directory. Ensure that the BlackBerry Device Service and the Universal Device Service use the same connectivity settings to Microsoft Active Directory. Configure the consoles to use Microsoft Active Directory authentication. Create a Microsoft Active Directory account in the User Account forest. This account can be a basic Microsoft Active Directory Domain user account (for example, it can be an LDAP reader account). This account does not require additional permissions, such as the permissions that the account used to run BlackBerry Enterprise Service 10 services requires, and it does not require access to Microsoft Exchange objects. Configure the browsers used by administrators and BES10 Self-Service users as follows: Integrated Windows Authentication turned on The BlackBerry Administration Service, Administration Console, BlackBerry Management Studio, and BES10 Self- Service URLs assigned to the local intranet zone The certificates for the BlackBerry Enterprise Service 10 consoles installed in the certificate store 40

41 Setting up the BlackBerry Enterprise Service 10 domain Configure constrained delegation for the Microsoft Active Directory account to support single sign-on To support single sign-on, you need to configure constrained delegation for the Microsoft Active Directory account that you create. Constrained delegation allows the browser to use the credentials of the user to authenticate with Microsoft Active Directory. For more information about configuring constrained delegation for the Microsoft Active Directory account, visit to read article KB At a command prompt, use the setspn command to add the following SPNs for the consoles to the Microsoft Active Directory account: Deployment Installed all BlackBerry Enterprise Service 10 components on a single computer Installed the administration consoles on a separate computer from the BlackBerry Enterprise Service 10 core components SPNs to create HTTP/<computer_FQDN> BASPLUGIN111/<computer_FQDN> HTTP/<console_computer_FQDN>. HTTP/<core_computer_FQDN> BASPLUGIN111/<console_computer_FQDN> BASPLUGIN111/<core_computer_FQDN> Created a BlackBerry Administration Service pool HTTP/<console_computerA_FQDN> HTTP/<console_computerB_FQDN> If you installed core components on a separate computer, HTTP/ <core_computer_fqdn> HTTP/< BAS_pool_FQDN > BASPLUGIN111/<console_computerA_FQDN> BASPLUGIN111/<console_computerB_FQDN> If you installed core components on a separate computer, BASPLUGIN111/<core_computer_FQDN> BASPLUGIN111/<BAS_pool_FQDN> Configured high availability by installing active and standby instances of core components HTTP/<active_core_computer_FQDN> HTTP/<standby_core_computer_FQDN> If you installed the consoles on a separate computer, HTTP/ <console_computer_fqdn> 41

42 Setting up the BlackBerry Enterprise Service 10 domain Deployment SPNs to create If you created a BlackBerry Administration Service pool, HTTP/ <BAS_pool_FQDN> BASPLUGIN111/<active_core_computer_FQDN> BASPLUGIN111/<standby_core_computer_FQDN> If you installed the consoles on a separate computer, BASPLUGIN111/ <console_computer_fqdn> If you created a BlackBerry Administration Service pool, BASPLUGIN111/ <BAS_pool_FQDN> For example: setspn -F -S BASPLUGIN111/<FQDN_of_BAS_pool_name> <domain_name>\<user_name>. For example, setspn -F -S BASPLUGIN111/BASconsole104.example.com EXAMPLE\ldapreader setspn -F -S HTTP/<FQDN_of_BAS_pool_name> <domain_name>\<user_name>. For example, setspn F S HTTP/BASconsole104.example.com EXAMPLE\ldapreader You must ensure that the SPNs are not duplicated in the Microsoft Active Directory forest. 2. If you create separate sub-pools of BlackBerry Administration Service instances and BES10 Self-Service instances in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each sub-pool to the Microsoft Active Directory account. 3. Configure the Microsoft Active Directory account for constrained delegation using the following settings: Trust this user for delegation to specific services only Use Kerberos only 4. In the Microsoft Active Directory account properties, on the Delegation tab, add the SPNs that you created in steps 1 and 2 to the list of services. Configure single sign-on for the Administration Console 1. In the Administration Console, on the menu bar, click Settings > Microsoft Active Directory. 2. On the Microsoft Active Directory screen, select Enable Windows Single Sign-on. 3. Click Test to test the Microsoft Active Directory settings. 4. Click Save. After you finish: In the Windows Services, restart the BES10 Administration Console service. 42

43 Setting up the BlackBerry Enterprise Service 10 domain Configure single sign-on for the BlackBerry Administration Service When you configure single sign-on for the BlackBerry Administration Service, you also configure it for BES10 Self-Service and BlackBerry Management Studio. 1. In the BlackBerry Administration Service, on the BlackBerry solution management menu, expand Company directory integration. 2. Click Manage company directory connections. 3. Click the Microsoft Active Directory name that you want to change. 4. Click Edit company directory connection. 5. In the Microsoft Active Directory login information section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, click Yes. 6. To configure the Microsoft Active Directory account for each forest, type the user domain name, user name, and password for the Microsoft Active Directory account. 7. Click the Add icon. 8. Click Save. After you finish: In the Windows Services, restart all of the BlackBerry Administration Service services and the BlackBerry Management Studio service. Complete this step on all computers that host BlackBerry Enterprise Service 10 administration consoles. Instruct all administrators to add the URLs for the BlackBerry Enterprise Service 10 administration consoles to the list of web sites in the local intranet zone and install the certificates for the consoles in the certificate store of their computers. BlackBerry Administration Service URL for single signon If you configure single sign-on, you must instruct administrators to access the BlackBerry Administration Service using the following URL: https://<blackberry Administration Service_FQDN>:<port>/webconsole/login. The default port for the BlackBerry Administration Service is port Single sign-on authentication takes precedence over other authentication methods that permit administrators to log in to the BlackBerry Administration Service. If the security policies in your organization require that administrators use another authentication method, you must instruct administrators to access the BlackBerry Administration Service using the following URL: https://<blackberry Administration Service_FQDN>:<port>/webconsole/app. 43

44 Setting up the BlackBerry Enterprise Service 10 domain Assigning the device management role for Android devices and ios devices In a BlackBerry Enterprise Service 10 domain, one instance of the core components is responsible for communicating management data to and from Android devices and ios devices. If you configure your environment to support high availability, this role is assigned to one high availability pair in the domain. When a failover occurs, the role is transferred from the primary instance to the standby instance. By default, the setup application assigns this role to the first instance of the core components that you install in the domain, or to the first instance that you upgrade. Using the BlackBerry Device Service console (the BlackBerry Administration Service), you can assign this role to a different instance of the core components, or to a different high availability pair. If you assign the role to a different instance or high availability pair, you must complete an additional task to connect the Administration Console to the primary instance with the role. If you do not complete this task, you cannot use the Administration Console to manage Android devices and ios devices. Note: If you assign the device management role to a different primary instance or high availability pair, BlackBerry Management Studio cannot connect to the new primary instance that is assigned the role. As a result, you cannot manage Android devices and ios devices from BlackBerry Management Studio unless you assign the role back to the initial instance or high availability pair. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit to read article KB Assign the device management role to a different instance or high availability pair 1. In the BlackBerry Administration Service, on the Servers and components menu, click BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Device Service. 2. Click Edit component. 3. In the BlackBerry Device Service instance used for non-blackberry Device Management drop-down list, click the appropriate instance or high availability pair. 4. Click Save all. After you finish: After you assign the device management role for Android devices and ios devices, you must connect the Administration Console to the primary instance with the device management role. See Configure the Administration Console to connect to the new primary instance. 44

45 Setting up the BlackBerry Enterprise Service 10 domain If you assign the device management role to a different primary instance or high availability pair, BlackBerry Management Studio cannot connect to the new primary instance that is assigned the role. As a result, you cannot manage Android devices and ios devices from BlackBerry Management Studio unless you assign the role back to the initial instance or high availability pair. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit to read article KB Configure the Administration Console to connect to the new primary instance The Administration Console must connect to the primary instance that is assigned the device management role for Android devices and ios devices. If you assign this role to a different primary instance or high availability pair, or if a failover occurs in a high availability pair that is assigned the role (and you want device service to continue on the standby instance), you must connect the Administration Console to the new primary instance that is assigned the role. 1. On the computer that hosts the active Administration Console, navigate to <drive>:\program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\webapps\ROOT\WEB-INF\classes. 2. In a text editor, open config.properties. 3. Locate mdm.restserver=<fqdn>:<port>, where <FQDN> is the FQDN of the initial primary instance, and <port> is the port that the Administration Console uses to connect to that computer. For example, mdm.restserver=https:// SERVER1.TESTNET.RIM.NET: Change <FQDN> to the FQDN of the computer that hosts the new primary instance with the device management role. 5. If necessary, change <port> to the port that the Administration Console uses to connect to the computer that hosts the new primary instance. The default port number is If you upgraded Universal Device Service 6.x to BlackBerry Enterprise Service 10 version 10.1 or later, the default port number is Save and close the file. After you finish: In the Windows Services, restart the BES10 - Administration Console service. 45

46 Setting up the BlackBerry Enterprise Service 10 domain Configuring high availability for BlackBerry Enterprise Service 10 If you want to enhance the stability and reliability of BlackBerry Enterprise Service 10, you can configure the core components to support high availability. A high availability configuration includes one or more high availability pairs. A high availability pair consists of a primary instance of the core components, and a standby instance of the same components that you install on a different computer. Both instances use the same SRP credentials, and are connected to the same BlackBerry Enterprise Service 10 databases. The primary instance is the active instance that communicates with devices and manages data in the domain. BlackBerry Enterprise Service 10 monitors the health and availability of the primary instance and the standby instance using health parameters with predefined performance thresholds. If the health parameters indicate that the primary instance is not performing as expected (for example, a component is not responding), BlackBerry Enterprise Service 10 initiates an automatic failover of device service to the standby instance. BlackBerry Enterprise Service 10 also verifies that the standby instance is healthy enough to be promoted. The standby instance becomes the new primary instance, and device service continues uninterrupted. The instance that was previously the primary becomes the standby instance. When a failover event occurs, device service fails over to all components on the standby instance, regardless of whether there was an issue with one or several components on the primary instance. Each core component is associated with the BlackBerry Device Service or the Universal Device Service; all of the core components fail over together and use the same primary instance. You can configure as many high availability pairs as your organization s environment requires. By default, the core components are configured for automatic failover. You have the option to turn off automatic failover, and you can initiate a manual failover at any time. Architecture: High availability for BlackBerry Enterprise Service 10 The following diagram shows an example of a high availability configuration with two high availability pairs: 46

47 Setting up the BlackBerry Enterprise Service 10 domain Component Administration consoles Description The administration consoles are connected to all primary instances and standby instances in the domain. You can install one or several instances of each console. The consoles can be installed on a computer that hosts a primary instance or a standby instance, or on a different computer. 47

48 Setting up the BlackBerry Enterprise Service 10 domain Component Primary instance Standby instance BlackBerry Enterprise Service 10 databases Description A primary instance is an active instance that communicates with devices and manages data in the domain. Each primary instance consists of the core BlackBerry Enterprise Service 10 components, and is associated with one standby instance. One primary instance in the domain is responsible for the device management role for Android devices and ios devices. For more information about this role, see Assigning the device management role for Android devices and ios devices. If a primary instance is not performing as expected, BlackBerry Enterprise Service 10 initiates an automatic failover of device service to the standby instance. A standby instance is a back-up server for a primary instance. Each standby instance consists of the same core components as a primary instance, and is associated with one primary instance. When a failover occurs, BlackBerry Enterprise Service 10 verifies that a standby instance is healthy before promoting it to become the primary instance. The BlackBerry Enterprise Service 10 databases are the BlackBerry Configuration Database, associated with the BlackBerry Device Service, and the Management Database, associated with the Universal Device Service. You specify a name for the databases when you install BlackBerry Enterprise Service 10. By default, the name of a new BlackBerry Configuration Database is BDSMgmt. The setup application creates the Management Database and gives it the same name with "_UDS" appended (for example, BDSMgmt_UDS). If you upgrade from a supported product to BlackBerry Enterprise Service 10 version 10.1, the upgraded databases use the name of the existing database. For example, if you upgrade BlackBerry Device Service 6.2 to BlackBerry Enterprise Service 10 version 10.1, and the existing BlackBerry Configuration Database is named CorporateDB, the upgraded BlackBerry Enterprise Service 10 databases are named CorporateDB (BlackBerry Configuration Database) and CorporateDB_UDS (Management Database). Each primary instance and standby instance is connected to the BlackBerry Enterprise Service 10 databases. You can configure high availability for the databases using database mirroring. For more information, see Configuring high availability for BlackBerry Enterprise Service 10 databases. Components that support high availability failover The following BlackBerry Enterprise Service 10 core components support high availability using a failover model. The table below describes the status of each component on the primary instance and on the standby instance. Note that when an automatic or manual failover occurs, the standby instance becomes the new primary instance, and what was previously the primary instance becomes the standby instance. 48

49 Setting up the BlackBerry Enterprise Service 10 domain Component Associated with Status - primary Status - standby Description BlackBerry Controller BlackBerry Dispatcher BlackBerry MDS Connection Service BlackBerry Secure Connect Service BlackBerry Device Service BlackBerry Device Service BlackBerry Device Service Universal Device Service Started Started Device service fails over from the primary instance to the standby instance. Started Started Device service fails over from the primary instance to the standby instance. Started Started Device service fails over from the primary instance to the standby instance. Started Started Device service fails over from the primary instance to the standby instance. BlackBerry Web Services Universal Device Service Started if instance has the device management role Not started if instance does not have the device management role Not started The BlackBerry Web Services are started only on the primary instance with the device management role for Android devices and ios devices. They are not started on other primary instances or standby instances. Device service fails over from the primary instance to the standby instance. The BlackBerry Web Services start automatically when device service fails over to the standby instance. BlackBerry Work Connect Notification Service Universal Device Service Started if instance has the device management role Not started if instance does not have the device management role Not started The BlackBerry Work Connect Notification Service is started only on the primary instance with the device management role for Android devices and ios devices. It is not started on other primary instances or standby instances. Device service fails over from the primary instance to the standby instance. 49

50 Setting up the BlackBerry Enterprise Service 10 domain Component Associated with Status - primary Status - standby Description The BlackBerry Work Connect Notification Service starts automatically when device service fails over to the standby instance. Communication Module Core Module Enterprise Management Web Service Scheduler Universal Device Service Universal Device Service BlackBerry Device Service Universal Device Service N/A N/A Exists as a website in Microsoft IIS on both the primary instance and the standby instance. N/A N/A Exists as a website in Microsoft IIS on both the primary instance and the standby instance. Started Not started Device service fails over from the primary instance to the standby instance. The Enterprise Management Web Service starts automatically when device service fails over to the standby instance. Started Started On the primary instance, the Scheduler runs in primary mode. On the standby instance, the Scheduler runs in standby (or idle) mode. Components that do not support high availability failover Component BlackBerry Administration Service Description You can install multiple instances to create a BlackBerry Administration Service pool. Data is load balanced across multiple BlackBerry Administration Service instances in the pool. If one instance is not available, the other instances in the pool manage the data. For more information about configuring a BlackBerry Administration Service pool, see Configuring multiple BlackBerry Administration Service instances, and visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Installation Guide. 50

51 Setting up the BlackBerry Enterprise Service 10 domain Component Administration Console BlackBerry Management Studio BlackBerry Licensing Service BlackBerry Router BlackBerry Collaboration Service Description You can install more than one instance of the Administration Console in a BlackBerry Enterprise Service 10 domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active Administration Console stops responding, you must restore service, or you can make another instance active (see Change the active Administration Console instance). For more information about installing the Administration Console, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Installation Guide. You can install multiple instances of BlackBerry Management Studio in a domain, but BlackBerry Management Studio does not support failover from a primary instance to a standby instance. For more information about installing BlackBerry Management Studio, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Installation Guide. You can install more than one instance of the BlackBerry Licensing Service in a domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active BlackBerry Licensing Service stops responding, you must restore service, or you can make another instance active. If the BlackBerry Licensing Service is not active, you can not activate devices. You must complete the required actions before you make another instance active. For more information about configuring the BlackBerry Licensing Service, visit docs.blackberry.com/bes10 to read the BlackBerry Enterprise Service 10 Licensing Guide. The BlackBerry Router does not support failover from a primary instance to a standby instance. You can install multiple instances to create a BlackBerry Collaboration Service pool. Data is load balanced across multiple BlackBerry Collaboration Service instances in the pool. If one instance is not available, the other instances in the pool manage the data. For more information about installing and configuring the BlackBerry Collaboration Service, visit to read the 51

52 Setting up the BlackBerry Enterprise Service 10 domain Component Description BlackBerry Collaboration Service for the Enterprise IM App Installation and Administration Guide. Health parameters and the availability of BlackBerry Enterprise Service 10 components BlackBerry Enterprise Service 10 uses health parameters to track the overall health and availability of the server components that transfer data and management settings to and from BlackBerry devices, Android devices, and ios devices. Health parameters track the health of both the primary instance and the standby instance. The parameters indicate whether the server components are working as expected. Each parameter reports the status of a different EMM feature. For example, the wireless network access parameter indicates whether the BlackBerry Dispatcher can access the wireless network. The health of each parameter is based on a predefined performance threshold. If the performance of the server components satisfies this threshold, the parameter is healthy and lists a status of available or connected. If the performance of the server components does not satisfy this threshold, the parameter is unhealthy and lists a status of not available or not connected. On the primary instance, if any parameter above the failover threshold is unhealthy, device service fails over automatically to the standby instance. On the standby instance, if any parameter above the promotion threshold is unhealthy, device service cannot fail over from the primary instance to the standby instance (the standby instance cannot be promoted to become the primary instance). Health parameters Parameters above the failover threshold (primary) and the promotion threshold (standby) On the primary instance, if any of the following parameters is unhealthy, device service fails over automatically to the standby instance. On the standby instance, if any of the following parameters is unhealthy, device service cannot fail over from the primary instance to the standby instance. Parameter Wireless network access BlackBerry Dispatcher Enterprise connectivity for BlackBerry devices Description This health parameter indicates whether the BlackBerry Dispatcher can access the wireless network. This health parameter indicates whether the BlackBerry Dispatcher can communicate with BlackBerry devices. This health parameter indicates whether the BlackBerry MDS Connection Service can communicate with the other components over HTTP or HTTPS. This does not include connectivity with the local Enterprise Management Web Service. 52

53 Setting up the BlackBerry Enterprise Service 10 domain Parameter Connection to the BlackBerry Configuration Database BlackBerry Push Management of BlackBerry devices Management of ios and Android devices Description This health parameter indicates whether the components can connect to the BlackBerry Configuration Database (the database associated with the BlackBerry Device Service). This health parameter indicates whether the Enterprise Management Web Service can issue HTTP EMA pokes to devices, and whether devices receive HTTP EMA pokes. This health parameter indicates whether the BlackBerry MDS Connection Service can communicate with the local Enterprise Management Web Service. This health parameter indicates whether the components can deliver management settings to ios devices and Android devices. Parameters below the failover threshold (primary) and the promotion threshold (standby) The following parameter does not trigger automatic failover from the primary instance to the standby instance, and does not impact the promotion of the standby instance. Description Enterprise connectivity for ios and Android devices This health parameter indicates whether ios devices and Android devices can connect to the components. This parameter does not impact failover or promotion because this functionality is load-balanced across every server instance (primary and standby) in the BlackBerry Enterprise Service 10 domain. Prerequisites: Installing a standby instance of the core components Install a primary instance of the core components. Verify whether this instance is assigned the device management role for Android devices and ios devices. By default, the setup application assigns this role to the first instance of the core components that you install in the domain, or to the first instance that you upgrade. Choose a different computer to host the standby instance of the core components. Verify that this computer meets the appropriate system requirements. When you install the standby instance, use the same service account that you used to install the primary instance, or a service account with the same permissions. 53

54 Setting up the BlackBerry Enterprise Service 10 domain It is a best practice to upgrade all BlackBerry 10 devices in your organization's environment to BlackBerry 10 OS version 10.1 or later. If device service fails over to the standby instance, you can continue to use the consoles to manage BlackBerry devices only if the devices use BlackBerry 10 OS version 10.1 or later. If the devices use an earlier version of the BlackBerry 10 OS or the BlackBerry PlayBook OS, the devices cannot connect to the Enterprise Management Web Service of the new primary instance (formerly the standby instance). As a result, you cannot manage the devices from the consoles until you perform one of the following actions: Manually fail over device service back to the initial primary instance. Move the user account and any associated devices to another high availability pair in the domain. Activate the devices again. Related information Assigning the device management role for Android devices and ios devices, 44 Install a standby instance of the core components When you install a standby instance of the core components, the setup application associates the components on the standby instance with the components on the primary instance. You can view and change settings for the standby components using the BlackBerry Administration Service. 1. Log in to the computer that you want to install the standby instance on using a service account with the correct permissions. The service account runs the BlackBerry Enterprise Service 10 services. 2. In the BlackBerry Enterprise Service 10 installation files, double-click setup.exe. If a Windows message appears and requests permission for setup.exe to make changes to the computer, click Yes. 3. Review the Windows account information that will be used to install the standby instance. Click Continue Installation. 4. In the License agreement dialog box, perform the following actions: In the Customer information section, specify information for your organization and select your country or region. In the License agreement section, read the license agreement. Select I accept the terms of the license agreement. Click Next. 5. In the Setup type dialog box, select Use an existing BlackBerry Enterprise Service 10 domain. 6. Click Next. 7. In the Database information dialog box, perform the following actions: In the Microsoft SQL Server name field, type the name of the computer that hosts the database server. In the Database name field, type the name of the BlackBerry Configuration Database that is associated with the primary instance. If you configured the database server to use static ports, select the Static option. If the static port number is not 1433, in the Port field, type the port number. 54

55 Setting up the BlackBerry Enterprise Service 10 domain By default, the setup application uses Windows authentication to connect to the BlackBerry Enterprise Service 10 databases. If you select Microsoft SQL Server authentication, specify login information for a Microsoft SQL Server account. Click Next. 8. In the Setup options dialog box, perform the following actions: Select Install the BlackBerry Enterprise Service 10 core components. Select Install the BlackBerry Enterprise Service 10 core components as a standby instance and associate it with a primary instance for high availability. In the drop-down list, click the primary instance. Click Next. 9. In the Preinstallation checklist dialog box, read and verify the information. Click Next. 10. In the Accounts and folders dialog box, in the Password field, type the password for the service account that you used in step Click Next. 12. In the Summary dialog box, verify that the information is correct. Click Install. 13. When the installation process completes, click Next. 14. In the Core Module Information dialog box, if necessary, change the port numbers in the Website information section and Port settings section. Click Next. 15. In the Communication Module information dialog box, if necessary, change the port number in the Website information section. Click Next. 16. In the Finalize installation dialog box, the setup application finishes installation tasks and the BlackBerry Enterprise Service 10 services start automatically. When all the services are running, click Next. Note: The BlackBerry Web Services, BlackBerry Work Connect Notification Service, and the Enterprise Management Web Service do not start automatically. These services are designed to start after device service fails over to the standby instance. 17. In the Console addresses dialog box, click Finish. By default, the setup application exports the BlackBerry Enterprise Service 10 web addresses to a.txt file. By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. For automatic failover to succeed, on the standby instance, the health parameters above the promotion threshold must be healthy. Note: If you change the listening port for Microsoft SQL Server to a custom port, and you update the port value on the primary instance using the BES10 Configuration Tool, the standby instance is not updated with the new port value and cannot connect to Microsoft SQL Server. After you finish: Restart the computer that hosts the primary instance. Restart the computer that hosts the standby instance. 55

56 Setting up the BlackBerry Enterprise Service 10 domain If you have additional primary instances in your domain and you want to configure additional high availability pairs, repeat this task as required. Post-installation tasks Perform the following tasks, as required, after you install a standby instance. Instructions can be found in the appropriate sections of the BlackBerry Enterprise Service 10 Configuration Guide. If you want to manage ios devices in your organization's domain, you must obtain an APNs certificate and upload it to the primary instance and the standby instance. If the domain will support work space-enabled ios devices, enable the Secure Work Space and configure the standby instance to support notifications. If necessary, specify the same proxy mappings for the BlackBerry MDS Connection Service and Enterprise Management Web Service on the primary instance and the standby instance. Using the BlackBerry Administration Service, you can change the log file path for any instance of the core components in the domain. If you change the log file path for one instance in a high availability pair, for consistency, you can change the log file path for the other instance. Note: If you uninstall a high availability pair, and then you install new instances that will use the same databases, the setup application tries to install the second instance of the core components as a standby instance. If you do not want the setup application to install the second instance as a standby, use the BlackBerry Administration Service to remove the high availability pair from the databases before you install the new instances. Fail over device service manually By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. If the primary instance of the BlackBerry Enterprise Service 10 components is not running as expected, or if you want to perform maintenance activities on the primary instance, you can manually fail over device service to the standby instance. Before you begin: Verify that the standby instance is running. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Manual failover. 4. In the Select Standby Instance section, select the standby instance that you want device service to fail over to. 5. Click Yes Failover to standby instance. After you finish: See Tasks to perform after an automatic or manual failover. 56

57 Setting up the BlackBerry Enterprise Service 10 domain Switch the primary and standby instances You can switch the primary instance in a high availability pair to a standby instance at any time. For example, you may want to stop device service on the primary instance for a short period of time while you complete maintenance activities. When both instances in a high availability pair are standby instances, device service is not active on either instance. When you complete your maintenance activities, you can choose which standby instance you want to promote to become the primary instance. You need to complete some additional configuration if you choose to promote the original standby instance to become the new primary instance. Before you begin: Verify that the standby instance is running. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Change primary instance to standby instance. 4. Click Yes Change instance to standby instance. 5. If necessary, perform any maintenance activities that are required. 6. In the High availability actions list, click Change standby instance to primary instance. 7. In the Select Standby Instance section, select the standby instance that you want to promote to become the primary instance. 8. Click Change instance to primary instance. After you finish: If you chose to promote the original standby instance to become the new primary instance, see Tasks to perform after an automatic or manual failover. Tasks to perform after an automatic or manual failover When an automatic failover occurs or you initiate a manual failover, you can choose to manually fail over device service back to the initial primary instance after you resolve the issue, or you can have device service continue indefinitely on the new primary instance (formerly the standby instance). If the failover occurs in a high availability pair that is assigned the device management role for Android devices and ios devices, and you want device service to continue indefinitely on the new primary instance (the standby instance), you must complete an additional task so that you can continue to manage Android devices and ios devices using the Administration Console. See Configure the Administration Console to connect to the new primary instance. If you plan to manually fail over device service back to the initial primary instance, you do not have to complete this task. For more information about the device management role, see Assigning the device management role for Android devices and ios devices. Note: If a failover occurs in a high availability pair that is assigned the device management role for Android devices and ios devices, BlackBerry Management Studio cannot connect to the new primary instance (the standby instance) that is 57

58 Setting up the BlackBerry Enterprise Service 10 domain assigned the role. As a result, you cannot manage Android devices and ios devices from BlackBerry Management Studio unless you manually fail over device service back to the initial primary instance. A workaround is available if you want to configure BlackBerry Management Studio to connect to the new server instance with the device management role. To learn more about the workaround, visit to read article KB Configure the Administration Console to connect to the new primary instance The Administration Console must connect to the primary instance that is assigned the device management role for Android devices and ios devices. If you assign this role to a different primary instance or high availability pair, or if a failover occurs in a high availability pair that is assigned the role (and you want device service to continue on the standby instance), you must connect the Administration Console to the new primary instance that is assigned the role. 1. On the computer that hosts the active Administration Console, navigate to <drive>:\program Files (x86)\research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\webapps\ROOT\WEB-INF\classes. 2. In a text editor, open config.properties. 3. Locate mdm.restserver=<fqdn>:<port>, where <FQDN> is the FQDN of the initial primary instance, and <port> is the port that the Administration Console uses to connect to that computer. For example, mdm.restserver=https:// SERVER1.TESTNET.RIM.NET: Change <FQDN> to the FQDN of the computer that hosts the new primary instance with the device management role. 5. If necessary, change <port> to the port that the Administration Console uses to connect to the computer that hosts the new primary instance. The default port number is If you upgraded Universal Device Service 6.x to BlackBerry Enterprise Service 10 version 10.1 or later, the default port number is Save and close the file. After you finish: In the Windows Services, restart the BES10 - Administration Console service. Turn off automatic failover By default, the primary instance is configured to fail over automatically if any of the health parameters above the failover threshold become unhealthy. You have the option to turn off automatic failover for a high availability pair. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > Highly available instances. 2. Click the appropriate high availability pair. 3. In the High availability actions list, click Turn off automatic BlackBerry Enterprise Service 10 failover. After you finish: To turn on automatic failover, in the High availability actions list, click Turn on automatic BlackBerry Enterprise Service 10 failover. 58

59 Setting up the BlackBerry Enterprise Service 10 domain Change the active Administration Console instance You can install more than one instance of the Administration Console in a BlackBerry Enterprise Service 10 domain, but only one instance can be active. The first instance that you install is started by default and is the active instance. Additional instances that you install are disabled. If the active Administration Console stops responding, or if you want to stop the Administration Console to perform maintenance activities, you can restore service by making another instance active. Before you begin: If necessary, on the computer that hosts the active Administration Console, in the Windows Services, stop the BES10 - Administration Console service. Change the startup type for the service from Automatic to Disabled. 1. On the computer that hosts a disabled Administration Console that you want to make active, you must configure the Administration Console to connect to the primary instance that is assigned the device management role for Android devices and ios devices. For more information about this role, see Assigning the device management role for Android devices and ios devices. For instructions to complete this task, see Configure the Administration Console to connect to the new primary instance. 2. On the computer that hosts the disabled Administration Console that you want to make active, in the Windows Services, change the startup type for the BES10 Administration Console service to Automatic. 3. Start the BES10 Administration Console service. Monitoring a high availability configuration Check the status of a high availability pair You can use the BlackBerry Administration Service to check the status of a high availability pair, including the health parameters of the primary instance and the standby instance. The availability column indicates whether an instance is currently serving as the primary instance or as the standby instance; this information is collected from the BlackBerry Enterprise Service 10 databases. The failover status column indicates whether the instance is running as expected and the current role of the instance (primary or standby); this information is collected from the BlackBerry Enterprise Service 10 components in real time. 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability. 2. Click High availability summary. 3. In the Host Instance Name section, click the name of a high availability pair. 4. To view the status of the health parameters for the primary instance, in the last column for the primary instance, click More. 5. To view the status of the health parameters for the standby instance, in the last column for the standby instance, click More. 59

60 Setting up the BlackBerry Enterprise Service 10 domain After you finish: If you want to keep the status information on-screen, and you want the page to refresh automatically every 30 seconds, in the System status section, click Refresh page automatically. This option turns off when you navigate to another page in the BlackBerry Administration Service. If you uninstall the standby instance in a high availability pair, the standby instance will still display on this status screen with the health parameters listed as Not available or Not connected. Related information Health parameters, 52 View information about the last automatic failover 1. In the BlackBerry Administration Service, on the Servers and components menu, expand High availability > High availability instances. 2. Click a high availability pair. 3. If an automatic failover occurred, in the System status section, the Failover time field displays the date and time that the failover occurred, and the Failover reason field displays the cause of the failover. After you finish: To clear this information, click Clear failover time and reasons. 60

61 Setting up the BlackBerry Enterprise Service 10 domain Configuring high availability for BlackBerry Enterprise Service 10 databases You can use database mirroring to configure high availability for the BlackBerry Enterprise Service 10 databases. Database mirroring is a Microsoft SQL Server feature that allows you to retain database service and data integrity if issues occur with the databases in the BlackBerry Enterprise Service 10 domain. Database mirroring is supported for both the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and the Management Database (associated with the Universal Device Service). When you configure database mirroring, you set up a principal database and a mirror database. The databases are hosted on different computers and in different instances of Microsoft SQL Server. After you install the principal database on the principal server, you back up the principal database and use the backup files to create the mirror database on a different computer (the mirror server). You then configure a mirroring relationship between the two databases. When a mirroring session is active, the mirror database performs the same actions and stores the same data as the principal database. You must configure the databases to use high-safety mode with automatic failover. In high-safety mode, the databases run synchronously. The mirror database synchronizes with the principal database as quickly as possible, and when the databases are synchronized, any changes are committed on both databases. To enable automatic failover, you set up a witness server to monitor the principal server. If the principal database stops responding, the witness initiates automatic failover to the mirror database. The BlackBerry Enterprise Service 10 components connect to the mirror database, and device service continues without interruption. A role switch occurs: the mirror database becomes the principal database, and the database that was previously the principal is now the mirror database. Role switching can occur several times over the course of a mirroring session. To learn more about database mirroring, visit technet.microsoft.com/sqlserver to read Database Mirroring - SQL Server 2008 R2 or Database Mirroring - SQL Server Database mirroring for both BlackBerry Enterprise Service 10 databases 61

62 Setting up the BlackBerry Enterprise Service 10 domain If you want to set up database mirroring, you must configure database mirroring for both the BlackBerry Configuration Database (associated with the BlackBerry Device Service) and for the Management Database (associated with the Universal Device Service). Configuring mirroring for both databases keeps data management consistent in the event of a failover, and prevents unnecessary errors. When you install BlackBerry Enterprise Service 10, you install the BlackBerry Configuration Database and the Management Database on the same computer, in the same instance of Microsoft SQL Server. These are your principal databases, located on the principal server. You must create the mirror databases on the same computer (the mirror server), in the same instance of Microsoft SQL Server. You then configure the BlackBerry Enterprise Service 10 components to connect to the mirror server so that they can fail over to the mirror databases if necessary. You configure one witness server to monitor the principal server and initiate automatic failover if one of the principal databases stops responding. System requirements: Database mirroring Item BlackBerry Enterprise Service 10 databases Requirement Database mirroring is supported for both BlackBerry Enterprise Service 10 databases: 62

Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...

Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

Licensing Guide BES12 Version 12.1 Published: 2015-04-02 SWD-20150402115554403 Contents Introduction... 5 About this guide...5 What is BES12?...5 Key features of BES12... 5 About licensing...7 Steps to

BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure

Kaspersky Lab Mobile Device Management Deployment Guide Introduction With the release of Kaspersky Security Center 10.0 a new functionality has been implemented which allows centralized management of mobile

NovaBACKUP xsp Version 15.0 Upgrade Guide NovaStor / November 2013 2013 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject

Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document

Manual Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious

Lepide Active Directory Self Service Configuration Guide 2014 Follow the simple steps given in this document to start working with Lepide Active Directory Self Service Table of Contents 1. Introduction...3

www.novell.com/documentation Server Installation ZENworks Mobile Management 2.7.x August 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

Owner of the content within this article is www.isaserver.org Written by Marc Grote www.it-training-grote.de Microsoft Forefront TMG How to use SQL Server 2008 Express Reporting Services Abstract In this

Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

LifeSize Control TM Deployment Guide July 2011 LifeSize Control Deployment Guide 2 LifeSize Control This guide is for network administrators who use LifeSize Control to manage video and voice communications